"Disable Auto-added VPN rules" not working & ASN 1 DN



  • Hello,

    Unfortunately the setting to deactivate the automatically generated VPN rules does not work for me.

    I have 2 pfSense firewalls in use and on both this setting is active, but they still establish a connection. How can that be?

    Shouldn't the firewall block all attempts to initiate a connection?

    Furthermore, I have activated the ASN 1 Distinguished name identifier for mutual authentication. This is equivalent with the common name of the respective client certificates, isn't it?

    Thanks


  • Netgate Administrator

    IPSec is using UDP and, usually, ESP. If both firewalls are configured to establish a tunnel then both with open outbound states to the other IP. Those states will match the incomging traffic from the other side passing it.
    If you set one side to responder only I would expect it to fail.

    ASN.1 is the identifier type which is sent along with the identifier value. It must match what the other side is set to. If both sides are pfSense that's obviously not a problem.
    For example we corrected that for KeyID in 2.4.5: https://redmine.pfsense.org/issues/9243

    Steve



  • @stephenw10

    Thank you very much for your answer!

    I do not quite understand the ASN.1.
    I have now entered different values for ASN.1, also so that they were different on the 2 pfsense firewalls. Nevertheless, a connection was made between the two. Does the ASN.1 value play a role?

    For authentication i use Mutual RSA.


  • Netgate Administrator

    Hmm, I would not expect them to connect with mismatched identifiers. Did you stop-start the ipsec service between changes? It's possible it was still running with the previous value.

    Steve



  • @stephenw10 Yes i did this, but only for one side.


Log in to reply